Submitted by Ziv Mador and Ryan Barnett
This blog post will summarize a recent talk that we (Ryan Barnett and Ziv Mador) gave at the RSA 2014 conference where we showed how tactics used by different cyber-criminal gangs could be used by defenders. You can also listen to this previous SpiderLabs Radio podcast where Karl Sigler interviewed us about our talk.
You may be familar with the Ouroboros symbol where a Serpent is eating its own tail. It symbolizes cyclicality and self-recreation and is applicable to the constant battles that security vendors/researchers have when facing bad guys. For our presentation, we used a modified version called "Dual Ouroboros" where you have two Serpents eating each other's tails.
This is the essence of the concept that we wanted to promote in our talk where we want to leverage the tactics and techniques used by one group of criminals and apply them defensively to help protect against a different criminal element.
Although there have been numerous articles posted, I thought I would write about my recent presentation at the RSA Conference on the subject of touchlogging.
Since many people have asked, I got the term touchlogging from this paper. I do not know if it has been used before, but I decided it was a good name for my presentation.
The idea for the project came from a penetration testing engagement for which we compared financial malware on the Windows platform with (potential) malware on mobile platforms. The goal was to find the various components that allowed the malware to capture financial data and see whether it could be moved to the mobile platforms. It was quickly realized that the key component was the keylogging mechanism.
This blog post will discuss a section from Recipe 8-5: Detecting Browser Fingerprint Changes During Sessionsin my book "Web Application Defender's Cookbook: Battling Hackers and Protecting Users".
Web client fingerprinting is a centerpiece of modern web fraud detection systems and goes way beyond simply capturing the User-Agent field submitted by clients within web transactions. For instance, common web client fingerprinting usually includes sending client executable code that queries the browser for various settings such as:
A little over a month ago, I published a Metasploit auxiliary module for brute-forcing Cisco ASDM logins that accompanied one of our TrustKeeper Scan Engine updates. Shortly afterwards, I received requests from a couple people to share how I was able to get access to the inside of the ASDM transport layer, which is encrypted with SSL.
Well, the short answer is that SSL isn’t really that much of a hurdle if the thick client you're reversing doesn’t verify the validity of the SSL certificates it’s being presented with.
The longer answer, and one I hope to answer during the course of this post, is that Burp makes “middling” non-proxy aware HTTPS thick clients (like ASDM) a pretty simple and straight forward process and I’ll show you how.
In this article I will discuss CVE-2014-0050: Apache Commons FileUpload and Apache Tomcat Denial-of-Service in detail. The article reviews the vulnerability's technical aspects in depth and includes recommendations that can help administrators defend from future exploitation of this security issue.
This blog post presents a powerful feature of ModSecurity v2.7 that has been highly under-utilized by most users: HMAC Token Protection. There was a previous blog post written that outlined some usage examples here, however we did not properly demonstrate the protection coverage gained by its usage. Specifically, by using the HMAC Token Protection capabilities of ModSecurity, you can reduce the attack surface of the following attacks/vulnerabilities:
It’s the second Tuesday in January, so it is Oracle Critical Patch Update (CPU) time. The January 2014 CPU contains 144 fixes across Oracle’s Database, Fusion Middleware, E-Business Suite, PeopleSoft, Siebel, Oracle and Sun Systems Product Suite, MySQL, Oracle Linux and Virtualization, Oracle Java and some other less common product lines.
Read on for more information about what's included in this month's update.
During a recent application penetration test, I came across what proved to be an interesting SQL Injection (SQLi) vulnerability. This case of SQLi was interesting for a couple reasons:
Below, I’ll walk you through the hurdles that I encountered and how I overcame them to lead to full data extraction.